MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 Command and Scripting Interpreter: PowerShell
The PDF file contains a prominent link disguised as a download button, which is a common lure for malicious content. This link directs to a redirector URL, 'https://ttraff.com/wix?keyword=get+out+mp4+movie+download', which is flagged as malicious. The document also contains a large number of embedded links, many pointing to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic to attract victims. No scripts were extracted, but the presence of a malicious redirector and a clear social engineering lure indicates a high likelihood of a drive-by download or phishing attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=get+out+mp4+movie+download
- https://static.usrfiles.com/ugd/469aea_bb51ca95ed484a4490df53f5f7e9bf81.pdf
- https://static.usrfiles.com/ugd/0511f5_aa6d1d0ce06544f1b784a53630a679cc.pdf
- https://static.usrfiles.com/ugd/b8c837_4f0ef534d9c14e938ebf0f527d2bec38.pdf
- https://cdn.shopify.com/s/files/1/0430/9070/6589/files/mpdf_page-_break-_inside_avoid_not_working.pdf
- https://cdn.shopify.com/s/files/1/0450/4797/1990/files/imperative_programming_techmax.pdf
- https://cdn.shopify.com/s/files/1/0431/6394/3067/files/sixativezodipozenun.pdf
- https://static.usrfiles.com/ugd/b8c837_abdea59f2c09443eb3448a52612afc84.pdf
- https://static.usrfiles.com/ugd/850f07_57ce78ae02214f3a9e00476d128944ef.pdf
- https://static.usrfiles.com/ugd/b8c837_63d90ac156de4c11bdc0aa0bbbf60d20.pdf
- https://static.usrfiles.com/ugd/44b221_447df7b8c4b448f78b5280d74fc012f1.pdf
- https://static.usrfiles.com/ugd/b8c837_b163dd7a12994e479ffc31d4ffef78a0.pdf
- https://cdn.shopify.com/s/files/1/0430/4610/9345/files/34324816868.pdf
- https://cdn.shopify.com/s/files/1/0432/6644/1376/files/62763570119.pdf
- https://cdn.shopify.com/s/files/1/0431/8802/7556/files/gb_instruments_gdt-_11.pdf
- https://cdn.shopify.com/s/files/1/0437/5789/5841/files/duxufajakuwekuwilote.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006ec5.bin51e676ac22f5eb3944126097ac2fde2cd26b42e3a5fd6050685f71626b85ff8a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6EC5 | 5104 bytes |
font_01_sfnt_off00008031.bin51fdc216bbab3a8233c440b9ba7c153cd594eda5ae0b0f30c96a5b2709beb13d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8031 | 10388 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.